055eeb231a8d164638fb06673045514b018f738753e48f57f8ed48cac34f7af7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23149475a606c307ddfbd83ec62eae50.exe
Size

1.0MB
MD5

23149475a606c307ddfbd83ec62eae50
SHA1

7b26528730414618ecdcce58f3f5ba16d604e13b
SHA256

055eeb231a8d164638fb06673045514b018f738753e48f57f8ed48cac34f7af7
SHA512

21ddb20d0177918248a95bf20fd2438a7ab67925c04ee8f4fc272a1a392df6ca481790457dd5f1698c636cb39299ea50986037e6dc8c79798871ce492b586ed2
SSDEEP

24576:HbSaE4mvt/+/EWIw4ri+BQNnMabVAF318gp:HbSv4mvEDOgsPp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
604	File.exe
1744	eicabfbcibhi.exe

Loads dropped DLL 10 IoCs

pid	Process
604	File.exe
604	File.exe
604	File.exe
844	WerFault.exe
844	WerFault.exe
844	WerFault.exe
844	WerFault.exe
844	WerFault.exe
844	WerFault.exe
844	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
844	1744	WerFault.exe

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016cbe-67.dat	nsis_installer_1
behavioral1/files/0x0007000000016cbe-67.dat	nsis_installer_2
behavioral1/files/0x0007000000016cbe-72.dat	nsis_installer_1
behavioral1/files/0x0007000000016cbe-72.dat	nsis_installer_2
behavioral1/files/0x0007000000016cbe-73.dat	nsis_installer_1
behavioral1/files/0x0007000000016cbe-73.dat	nsis_installer_2

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	23149475a606c307ddfbd83ec62eae50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	23149475a606c307ddfbd83ec62eae50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	23149475a606c307ddfbd83ec62eae50.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	23149475a606c307ddfbd83ec62eae50.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2948	23149475a606c307ddfbd83ec62eae50.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	23149475a606c307ddfbd83ec62eae50.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe
Token: SeSystemtimePrivilege	824	wmic.exe
Token: SeProfSingleProcessPrivilege	824	wmic.exe
Token: SeIncBasePriorityPrivilege	824	wmic.exe
Token: SeCreatePagefilePrivilege	824	wmic.exe
Token: SeBackupPrivilege	824	wmic.exe
Token: SeRestorePrivilege	824	wmic.exe
Token: SeShutdownPrivilege	824	wmic.exe
Token: SeDebugPrivilege	824	wmic.exe
Token: SeSystemEnvironmentPrivilege	824	wmic.exe
Token: SeRemoteShutdownPrivilege	824	wmic.exe
Token: SeUndockPrivilege	824	wmic.exe
Token: SeManageVolumePrivilege	824	wmic.exe
Token: 33	824	wmic.exe
Token: 34	824	wmic.exe
Token: 35	824	wmic.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe
Token: SeSystemtimePrivilege	824	wmic.exe
Token: SeProfSingleProcessPrivilege	824	wmic.exe
Token: SeIncBasePriorityPrivilege	824	wmic.exe
Token: SeCreatePagefilePrivilege	824	wmic.exe
Token: SeBackupPrivilege	824	wmic.exe
Token: SeRestorePrivilege	824	wmic.exe
Token: SeShutdownPrivilege	824	wmic.exe
Token: SeDebugPrivilege	824	wmic.exe
Token: SeSystemEnvironmentPrivilege	824	wmic.exe
Token: SeRemoteShutdownPrivilege	824	wmic.exe
Token: SeUndockPrivilege	824	wmic.exe
Token: SeManageVolumePrivilege	824	wmic.exe
Token: 33	824	wmic.exe
Token: 34	824	wmic.exe
Token: 35	824	wmic.exe
Token: SeIncreaseQuotaPrivilege	2380	wmic.exe
Token: SeSecurityPrivilege	2380	wmic.exe
Token: SeTakeOwnershipPrivilege	2380	wmic.exe
Token: SeLoadDriverPrivilege	2380	wmic.exe
Token: SeSystemProfilePrivilege	2380	wmic.exe
Token: SeSystemtimePrivilege	2380	wmic.exe
Token: SeProfSingleProcessPrivilege	2380	wmic.exe
Token: SeIncBasePriorityPrivilege	2380	wmic.exe
Token: SeCreatePagefilePrivilege	2380	wmic.exe
Token: SeBackupPrivilege	2380	wmic.exe
Token: SeRestorePrivilege	2380	wmic.exe
Token: SeShutdownPrivilege	2380	wmic.exe
Token: SeDebugPrivilege	2380	wmic.exe
Token: SeSystemEnvironmentPrivilege	2380	wmic.exe
Token: SeRemoteShutdownPrivilege	2380	wmic.exe
Token: SeUndockPrivilege	2380	wmic.exe
Token: SeManageVolumePrivilege	2380	wmic.exe
Token: 33	2380	wmic.exe
Token: 34	2380	wmic.exe
Token: 35	2380	wmic.exe
Token: SeIncreaseQuotaPrivilege	1212	wmic.exe
Token: SeSecurityPrivilege	1212	wmic.exe
Token: SeTakeOwnershipPrivilege	1212	wmic.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 604	2948	23149475a606c307ddfbd83ec62eae50.exe	42
PID 2948 wrote to memory of 604	2948	23149475a606c307ddfbd83ec62eae50.exe	42
PID 2948 wrote to memory of 604	2948	23149475a606c307ddfbd83ec62eae50.exe	42
PID 2948 wrote to memory of 604	2948	23149475a606c307ddfbd83ec62eae50.exe	42
PID 604 wrote to memory of 1744	604	File.exe	41
PID 604 wrote to memory of 1744	604	File.exe	41
PID 604 wrote to memory of 1744	604	File.exe	41
PID 604 wrote to memory of 1744	604	File.exe	41
PID 1744 wrote to memory of 824	1744	eicabfbcibhi.exe	31
PID 1744 wrote to memory of 824	1744	eicabfbcibhi.exe	31
PID 1744 wrote to memory of 824	1744	eicabfbcibhi.exe	31
PID 1744 wrote to memory of 824	1744	eicabfbcibhi.exe	31
PID 1744 wrote to memory of 2380	1744	eicabfbcibhi.exe	40
PID 1744 wrote to memory of 2380	1744	eicabfbcibhi.exe	40
PID 1744 wrote to memory of 2380	1744	eicabfbcibhi.exe	40
PID 1744 wrote to memory of 2380	1744	eicabfbcibhi.exe	40
PID 1744 wrote to memory of 1212	1744	eicabfbcibhi.exe	38
PID 1744 wrote to memory of 1212	1744	eicabfbcibhi.exe	38
PID 1744 wrote to memory of 1212	1744	eicabfbcibhi.exe	38
PID 1744 wrote to memory of 1212	1744	eicabfbcibhi.exe	38
PID 1744 wrote to memory of 1824	1744	eicabfbcibhi.exe	37
PID 1744 wrote to memory of 1824	1744	eicabfbcibhi.exe	37
PID 1744 wrote to memory of 1824	1744	eicabfbcibhi.exe	37
PID 1744 wrote to memory of 1824	1744	eicabfbcibhi.exe	37
PID 1744 wrote to memory of 2400	1744	eicabfbcibhi.exe	36
PID 1744 wrote to memory of 2400	1744	eicabfbcibhi.exe	36
PID 1744 wrote to memory of 2400	1744	eicabfbcibhi.exe	36
PID 1744 wrote to memory of 2400	1744	eicabfbcibhi.exe	36
PID 1744 wrote to memory of 844	1744	eicabfbcibhi.exe	35
PID 1744 wrote to memory of 844	1744	eicabfbcibhi.exe	35
PID 1744 wrote to memory of 844	1744	eicabfbcibhi.exe	35
PID 1744 wrote to memory of 844	1744	eicabfbcibhi.exe	35

C:\Users\Admin\AppData\Local\Temp\23149475a606c307ddfbd83ec62eae50.exe
"C:\Users\Admin\AppData\Local\Temp\23149475a606c307ddfbd83ec62eae50.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:604

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421299.txt bios get serialnumber
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 368
1⤵
- Loads dropped DLL
- Program crash
PID:844

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421299.txt bios get version
1⤵
PID:2400

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421299.txt bios get version
1⤵
PID:1824

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421299.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic /output:C:\Users\Admin\AppData\Local\Temp\81704421299.txt bios get version
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\Temp\eicabfbcibhi.exe
C:\Users\Admin\AppData\Local\Temp\eicabfbcibhi.exe 9-5-2-9-3-5-1-5-3-4-9 JktHOzosMis0LxcmTlM5TURDOC0cJkVAUk5MTUpEQTknFypCQFBPSD86LisvMjUXLD5IPzosFyZLUEZBUEJPXEU7NC4xKTIbLk5CTk08TV1MT0c8Y3FwZzEqLWpvcS0/Qk9CJE9NRyo8T0srRUU9Sh4mQEdIPkhFOzQ/WCgtZzVqamJPFypCKDpJVEg/QUkXKkIpOigwGyxAKjQoLxcsPzM4Ki0XJj8zNCosHypNTkY7UEFLXEtRRFM9OlA4HiZNTU4/Uj9LVkBTQz44HypNTkY7UEFLXElASEI5FyZAVjxcUFFHOhwmPFNDVkBIQ0dGSjw0Gy0/TE5TWj9ORk5OQ0k6LR8qUUQ4RUZXRlJaVE1JORcmUUs0LxsuP1AtNBcqUExLT0hIQltOPEdBRkpASEg+QzxMTUo0HSpITlxOTEVPR0RCOHNtcmEXJk1DS1JNTURLQ1ZMTkNJXD9AVFA5KRcqRkBBQFc4LhwmQE5dO1ZJQEhGP1Y8SUFJVktTQEE5XVhncVwdKkNKVEpDRjxCVkZLPCwtNSUoLTAlLi0xKTEwFyZPR0RCODAvLzQsKSs2KzIbLj9MU0VDSj87XE9ISEI5KyYzLSktLDQlNDYpJzUyLCdLTA==
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
557KB

MD5
462c994d39de40e45b378fb54993852c

SHA1
a5985d3c7cd7a4acf42e83b8383b752c490752fd

SHA256
fbcc5ccaca3572d79d593d38fada5d75245b5226c5662b2220f599e33e71e4c5

SHA512
2c023d50f0b6eae0a7017b4fbe1733f7042e9b40fb6570a3c8330911bbc15db97a8312beb3d9e5c235fa0889189d6030c5828640c45221830c638472eac844c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
482KB

MD5
ad59a194a0bc65594413a92b52645671

SHA1
156d637891779aca3bf61982fbf32b1a3177a404

SHA256
435223e0dae985b44a7261352140df132c471b863242df0540dcc28cc9b7b450

SHA512
62712dc23390d91077269694341bc0bcba63123b1ae703828a13d240390b7d83c353f53244eaea91fa2b0b91c98030eff6ca03c35cb179b887d09ae19c5a72e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
136KB

MD5
5c3cb7a3d323423d42b5f857cc97a256

SHA1
0ef1871d7153be41d2c23d1c3a6f23e80f90a8db

SHA256
347b21a75dbabb4c16479f95fa755160bb0220933b0b6594c5b0f6c57eb39d72

SHA512
deb97251699dcb270e935d715a48b0151cdec5cba3ca38c5588191524302bb5236ca4c39db1cbf57a11093223872cd63c20d679c7f7b179ac344a04b5d70a209

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst88D0.tmp\dnjzh.dll

Filesize
99KB

MD5
b359b4cd84eadfe10082c99dc384c913

SHA1
e890a577148f49031fbbff9443dde34048252858

SHA256
3f75690293eab5b59d299f1ea3698889e9d8c898bdda0506124b804df3035a93

SHA512
d4919b0d70f62d555657fb053e6cdcd96be87fb85e96bad2ec81c4965f7596480d375b68c34ab6564db93d0e532c71a5a0906e4ea6589ae6f316b0b9dba12b77

Download Submit
\Users\Admin\AppData\Local\Temp\nst88D0.tmp\dnjzh.dll

Filesize
125KB

MD5
7d7518d98e68eebbb02ee06a931fd0c6

SHA1
73a1c22beb0381aa241a4542df29d20a9da5e033

SHA256
6fd1735c87fd55624f93a5141710324ba6c23788c8804ce387592a6599fe7f14

SHA512
bb33af0a4b0f21fb13112cdd6880575c5ff7b19b67ec6db74f7c558a7666f8aa34864650313a4e5f56afb239da0d7e1a6c9e6c1d789907aa2c31e930e7103117

Download Submit
\Users\Admin\AppData\Local\Temp\nst88D0.tmp\nsisunz.dll

Filesize
6KB

MD5
b519d78fde7eb1fa2f97a8b85fc995a2

SHA1
f1f54def99aa0186e7d3cba6b56a20f95f955845

SHA256
fe16e11f4c26b50b35f53b604fd25141ee39a9770e461a488bdadf1bb9beb757

SHA512
146ab0d020a24ab8b347fa45be0762205538c50223d81a5c872d1f4b2c559f4aca47fe3a3e4336dd38ccecf722d84a728a993506202343be6d6a9e60355b7ad2

Download Submit
memory/2948-1-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/2948-0-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download
memory/2948-62-0x000000001AE10000-0x000000001AE88000-memory.dmp

Filesize
480KB

Download
memory/2948-109-0x0000000000B80000-0x0000000000C00000-memory.dmp

Filesize
512KB

Download
memory/2948-108-0x000007FEF5140000-0x000007FEF5ADD000-memory.dmp

Filesize
9.6MB

Download